They say the devil is in the details. This is especially true for security professionals that use Splunk as their organization’s primary security analytics engine. Splunk analytics gives security teams a real-time view of machine data from networks, data centers, or IT environments. Organizations also use Splunk to retain log records for data repositories, which enables them to more easily comply with record retention requirements. In most cases, these logs represent a significant amount of the data indexed with Splunk.
Many organizations have adopted an “everything-to-Splunk” strategy to get all their data in one location, making it easier to analyze and retain. So far, so good. Here is where it gets dicey: Splunk is commonly priced by the volume of data ingested into the platform (GB/day). For an organization using Splunk to ingest 2,600GB per day at a cost of $0.88/GB per day, they spend $835,210 on ingestion costs alone – without even considering the costs of Splunk analysts and developers. Besides the staggering cost, Splunk does not help organizations gain comprehensive visibility and an understanding of what is happening with their data.
How can an organization use Splunk for log management and the ability to store real-time data as events and avoid the prohibitive cost? Then, how can security teams apply risk-based analytics functionality to the data that combines anomaly detection with data sensitivity context that looks for – and finds – threats that anomaly-based analytics alone do not detect? In this post, we’ll explain how Splunk integrates seamlessly with the Imperva Data Security Fabric (DSF) to reduce ingestion costs and accelerate security incident reporting, response, and forensics.
Imperva Data Security Fabric as pre-processor
The first step is to restrict the volume of data that Splunk needs to ingest. Imperva Data Security Fabric is designed to normalize, compress, and filter raw activity logs. Using Imperva DSF to pre-process data typically results in organizations needing to send just between 5-30% of the information they were sending to Splunk before pre-processing. As organizations devote most of their Spunk expenses to data ingestion, a 70-95% reduction in the volume of information being sent to Splunk for indexing represents dramatic cost savings.
Skip the Splunk ingestion
Imperva also provides an option to skip ingestion into Splunk altogether. A Splunk plug-in for Data Security Fabric allows Splunk native jobs to run against data sets stored in Imperva Data Security Fabric through virtual indexing. Storing the logs on Imperva rather than Splunk makes data ingestion unnecessary and can also reduce licensing costs.
Imperva Data Security Fabric and Splunk: Analytics on steroids
The second step is to use Imperva DSF to leverage Splunk functionality. Out of the box, Splunk consumes and correlates log telemetry from nearly every digital application. Organizations rely on Splunk for monitoring, analyzing, and searching machine-generated information. When organizations apply the complementary analytics functionality that Imperva DSF provides, they can look for and find threats that Splunk analytics alone does not detect. Imperva DSF also provides a comprehensive summary of incident details in a simple report that make the incident and its severity easy to understand, even when a security analyst does not have background knowledge of the data set involved.
Advanced threat detection with Splunk and Imperva DSF
Imperva DSF continuously analyzes data access activity and automatically determines if an access event violates compliance, a security policy, or varies from normal data access activity by peers in a user role. In addition, Imperva data risk analytics identify attack exploits or suspicious activity even if the behavior attempts to be evasive. Purpose-built algorithms identify signs of malicious insider behavior such as privilege escalation, data exfiltration, or exhibit signs of compromised user account activity that other security tools miss.
Where to learn more
We’re just scratching the surface of the capabilities of the Imperva Data Security Fabric and how it helps you get the most from your Splunk instance for the lowest possible cost. To learn more, download the datasheet How Imperva Data Security Fabric Reduces Splunk Operational Costs and Improves Security Insights.
Try Imperva for Free
Protect your business for 30 days on Imperva.